1
00:00:04,280 --> 00:00:10,840
 Hello and welcome this recording on a feature
 of WPA3 called Beacon Protection.

2
00:00:10,840 --> 00:00:16,720
 So let's just do a quick review
 of what beacons are.

3
00:00:16,720 --> 00:00:21,360
 So beacon frames are 802.11 management
 frames and they're used for a lot

4
00:00:21,360 --> 00:00:23,060
 of different reasons.

5
00:00:23,060 --> 00:00:25,420
 Certainly you probably know that they're
 used by wireless LAN clients

6
00:00:25,420 --> 00:00:27,840
 to discover the wireless LAN.

7
00:00:27,840 --> 00:00:31,600
 You know what SSIDs are around me
 and what are their capabilities?

8
00:00:31,600 --> 00:00:35,740
 Inside the beacon it says things like
 what authentication mechanisms are

9
00:00:35,740 --> 00:00:40,140
 in use, what encryption mechanisms are
 in use, what channels are in use,

10
00:00:40,140 --> 00:00:41,040
 a whole bunch of things.

11
00:00:41,040 --> 00:00:43,520
 Beacons are cram full of information.

12
00:00:43,520 --> 00:00:46,960
 They also help the wireless LAN clients
 to maintain their association

13
00:00:46,960 --> 00:00:48,540
 to the wireless LAN.

14
00:00:48,540 --> 00:00:52,960
 A wireless LAN client has to be able
 to receive beacons if for some reason

15
00:00:52,960 --> 00:00:56,780
 either because the client has moved too
 far away or there's been an increase

16
00:00:56,780 --> 00:01:01,280
 in radio frequency interference and it
 can no longer receive beacons that

17
00:01:01,280 --> 00:01:05,020
 clients can have to look for a different
 wireless LAN to associate to.

18
00:01:05,020 --> 00:01:09,020
 Now beacons are sent in plain text and
 unencrypted so if you do a Wi-Fi

19
00:01:09,020 --> 00:01:13,120
 sniffer trace you can read
 them from beginning to end.

20
00:01:13,120 --> 00:01:17,340
 Now once associated to a wireless LAN
 beacons spoofing could occur in

21
00:01:17,340 --> 00:01:21,580
 which case you've got a rogue access
 point sending out its old beacons.

22
00:01:21,580 --> 00:01:24,940
 The worst case scenario is where you've
 got an access point that's actually

23
00:01:24,940 --> 00:01:29,620
 spoofing the MAC address of your legitimate
 access point but the beacons

24
00:01:29,620 --> 00:01:33,980
 the rogue MAC address is sending are
 giving clients faulty or incorrect

25
00:01:33,980 --> 00:01:38,720
 information. It can result in the disassociation
 of clients, rate limiting

26
00:01:38,720 --> 00:01:42,900
 the client you know what if the rogue
 access point says oh I only support

27
00:01:42,900 --> 00:01:46,860
 this wireless LAN only supports one
 megabit per second and that's it.

28
00:01:46,860 --> 00:01:50,320
 Wow imagine how that's going to really
 impact your Wi-Fi if you start

29
00:01:50,320 --> 00:01:53,260
 believing that and rate limit
 yourself down to that.

30
00:01:53,260 --> 00:01:56,420
 It can even force you off onto a different
 channel by sending a channel

31
00:01:56,420 --> 00:01:58,120
 switch announcement.

32
00:01:58,120 --> 00:02:05,100
 So WPA3 added beacon protection
 to reduce some of these risks.

33
00:02:05,100 --> 00:02:06,780
 So how are they protected?

34
00:02:06,780 --> 00:02:12,540
 Well if you've seen my video on WPA3
 protected management frames PMF guess

35
00:02:12,540 --> 00:02:15,600
 what the same concept applies here.

36
00:02:15,600 --> 00:02:19,860
 So the idea is we can't encrypt beacons
 so beacons still have to be sent

37
00:02:19,860 --> 00:02:24,080
 in plain text so that everybody can
 read them even clients who aren't

38
00:02:24,080 --> 00:02:27,320
 associated to the wireless LAN
 yet but are considering it.

39
00:02:27,320 --> 00:02:31,800
 So we can't encrypt it but we can validate
 the integrity and authentication

40
00:02:31,800 --> 00:02:36,020
 of the beacon by adding a message
 integrity code or a MAC.

41
00:02:36,020 --> 00:02:46,800
 So we've got the access point we'll use
 a special key just for this purpose

42
00:02:46,800 --> 00:02:48,900
 temporal key the big TK.

43
00:02:48,900 --> 00:02:54,620
 So just like there are other keys that
 the access points will give to

44
00:02:54,620 --> 00:03:01,560
 the clients for example the group temporal
 key the the IG TK those and

45
00:03:01,560 --> 00:03:06,080
 this one are transmitted in Epos over
 LAN key message number three.

46
00:03:06,080 --> 00:03:09,880
 So you have to go through that four
-way handshake in order to receive

47
00:03:09,880 --> 00:03:13,760
 this key. Now what does this mean for
 clients who aren't associated to

48
00:03:13,760 --> 00:03:15,220
 the wireless LAN yet?

49
00:03:15,220 --> 00:03:18,060
 Well they'll still be able to receive
 those beacons and and parse them

50
00:03:18,060 --> 00:03:20,900
 and see what's inside them it's just
 until they're actually associated

51
00:03:20,900 --> 00:03:25,000
 to the wireless and have gone through
 the Epos over LAN handshake they

52
00:03:25,000 --> 00:03:28,300
 won't be able to parse that message integrity
 code and they won't be able

53
00:03:28,300 --> 00:03:33,620
 to tell if the access point is a legitimate
 or rogue access point until

54
00:03:33,620 --> 00:03:35,400
 they've gone through that part.

55
00:03:35,400 --> 00:03:40,320
 So this is only for for integrity not
 encryption and it's shared among

56
00:03:40,320 --> 00:03:44,620
 all clients just like the group temporal
 key is they're associated with

57
00:03:44,620 --> 00:03:48,880
 that SSID. Now in order to have this
 feature you have to have protected

58
00:03:48,880 --> 00:03:51,220
 management frames turned on.

59
00:03:51,220 --> 00:03:55,280
 So this is not an independent feature
 this is something that is optional

60
00:03:55,280 --> 00:03:59,280
 but if you want it you have
 to already be running PMF.

61
00:03:59,280 --> 00:04:06,440
 Now if you're running Wi-Fi 7 or higher
 it turns out that beacon protection

62
00:04:06,440 --> 00:04:10,220
 just like protected management
 frames is required.

63
00:04:10,220 --> 00:04:15,120
 Now actually in WPA3 protected management
 frames is already required at

64
00:04:15,120 --> 00:04:19,480
 least on Cisco devices you can't create
 a WPA3 wireless LAN without having

65
00:04:19,480 --> 00:04:21,460
 protected management frames.

66
00:04:21,460 --> 00:04:25,900
 Now beacon protection as a side thing
 is a side feature is optional in

67
00:04:25,900 --> 00:04:30,020
 Wi-Fi 6E and lower but above
 that you've got to have it.

68
00:04:30,020 --> 00:04:31,560
 Now how do we actually enable it?

69
00:04:31,560 --> 00:04:39,940
 Well on 17.15 code or later and that's
 a critical thing here if you're

70
00:04:39,940 --> 00:04:42,900
 going to be actually doing this in the
 lab make sure your controller is

71
00:04:42,900 --> 00:04:48,640
 running 17.15 or higher then you will
 see when you select WPA3 as your

72
00:04:48,640 --> 00:04:53,720
 wireless LAN type there will now be
 a checkbox that you can check for

73
00:04:53,720 --> 00:04:56,100
 beacon protection.

74
00:04:56,100 --> 00:04:59,860
 Now how do we actually know if it's actually
 working if it's doing anything?

75
00:04:59,860 --> 00:05:04,840
 Well if you open up your beacon frame
 you will see here under extended

76
00:05:04,840 --> 00:05:09,320
 capabilities octet 11 so this will be
 like the last octet under extended

77
00:05:09,320 --> 00:05:13,800
 capabilities if you open that up you'll
 see a flag set to number one saying

78
00:05:13,800 --> 00:05:19,120
 beacon protection enabled yes it's
 true and then down at the bottom of

79
00:05:19,120 --> 00:05:22,360
 the beacon I had to cut out some stuff
 here but the bottom you'll see

80
00:05:22,360 --> 00:05:27,060
 this additional element called the management
 mik element and this actually

81
00:05:27,060 --> 00:05:32,120
 contains the message integrity code
 so these two things taken together

82
00:05:32,120 --> 00:05:37,500
 provide your validation that the
 beacon protection feature is on.

83
00:05:37,500 --> 00:05:44,420
 Now there's really no way to see the
 actual big tk just like there's no

84
00:05:44,420 --> 00:05:47,540
 way to see the group temporal key because
 even though it's transmitted

85
00:05:47,540 --> 00:05:52,260
 from the access point to the client in
 Epos-Rlan key message number three

86
00:05:52,260 --> 00:05:56,800
 remember that Epos-Rlan key message number
 three is actually the contents

87
00:05:56,800 --> 00:06:02,020
 of it are encrypted with the key encryption
 key that was derived in message

88
00:06:02,020 --> 00:06:08,020
 number one so we can see down here
 the WPA key data and this is going

89
00:06:08,020 --> 00:06:14,020
 to be our group temporal key possibly
 an iGtk and the big tk if we're

90
00:06:14,020 --> 00:06:18,960
 doing that as well and this is all encrypted
 with the key encryption key

91
00:06:18,960 --> 00:06:24,420
 between the client and the access point
 so just some final thoughts on

92
00:06:24,420 --> 00:06:29,700
 this so beacon protection will only
 protect the client from rogue access

93
00:06:29,700 --> 00:06:35,000
 points that are attempting to spoof
 via mac duplication the legitimate

94
00:06:35,000 --> 00:06:40,060
 access point if somebody has a rogue access
 point out there and they haven't

95
00:06:40,060 --> 00:06:43,120
 bothered to do that they say you know
 what i'm going to insert an access

96
00:06:43,120 --> 00:06:48,720
 point that's advertising the exact
 same SSID as the corporate SSID and

97
00:06:48,720 --> 00:06:51,760
 i'll just leave my own mac address alone
 i'm not going to change it well

98
00:06:51,760 --> 00:06:56,480
 then beacon protection doesn't protect
 against that remember ultimately

99
00:06:56,480 --> 00:07:01,780
 it's up to the client to decide which
 access point it's going to try to

100
00:07:01,780 --> 00:07:06,880
 join and that's typically based on the
 power or the clarity of the signal

101
00:07:06,880 --> 00:07:12,360
 that the access point has in its beacon
 so if my legitimate corporate

102
00:07:12,360 --> 00:07:17,020
 access point is behind a couple of
 walls for me and the signal is you

103
00:07:17,020 --> 00:07:21,260
 know moderate to weak and all of a sudden
 a rogue access point is placed

104
00:07:21,260 --> 00:07:25,780
 right in the same room as i am chances
 are pretty good that my client

105
00:07:25,780 --> 00:07:30,000
 will try to join to the rogue access
 point and this feature is not going

106
00:07:30,000 --> 00:07:36,260
 to prevent that one final thought older
 Cisco wave two aeronaut access

107
00:07:36,260 --> 00:07:39,420
 point models and you've got some models
 here unfortunately do not have

108
00:07:39,420 --> 00:07:44,180
 the hardware capability to support
 beacon protection so if you want to

109
00:07:44,180 --> 00:07:46,860
 try to do this in the lab with your own
 access point that maybe you bought

110
00:07:46,860 --> 00:07:50,300
 off of ebay or something make sure
 you don't buy one of the older ones

111
00:07:50,300 --> 00:07:54,880
 like this because you won't be able to
 do it so that concludes this video